Mobile Application Vetting
Application Vetting or “App Vetting” is the strategy for managing risk and assuring mobile applications consistently comply with agency security requirements.
Key aspects include:
- Policy for mobile security. Ensure your agency’s security policies include the use of mobile applications. The CIO Mobile Baseline and the NIST Guidelines are valuable resources to help shape policy, strategy and priorities. And, the Mobile Application Playbook (MAP) is available to assist in the planning, management, and execution of mobile application projects from start to finish.
- Security requirements for mobile apps. A top priority for vetting applications is having an established security baseline. The Protection Profile from National Information Assurance Partnership (NIAP), is used across government for establishing baseline mobile application security profiles. Other sources include DISA’s Risk Rating, etc. (link)
- App Vetting tool(s). Specialized software is required to test, validate and verify mobile apps against the security baseline. GSA has gathered a list of App Vetting tools used by agencies and industry; but note this is a niche, relatively new marketplace with rapidly changing suppliers and solutions.
- Maintainability and reciprocity. Change is constantly occurring in the mobility space. Apps and mobile device operating systems are continually being updated, introducing potential risks with each release. Make sure your resources adequately plan for this function. Also, consider collaborating with other federal agencies such as the Mobile App Security Vetting Working Group (MASVWG) MASVWG@LISTSERV.GSA.GOV, a cross-agency group working on recommendations for sharing best practices and information on pre-vetted applications.